CVE-2024-38359

{"id": "CVE-2024-38359", "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2024-06-20T23:15:52.700", "references": [{"url": "https://delvingbitcoin.org/t/dos-disclosure-lnd-onion-bomb/979", "source": "security-advisories@github.com"}, {"url": "https://github.com/lightningnetwork/lnd/releases/tag/v0.17.0-beta", "source": "security-advisories@github.com"}, {"url": "https://github.com/lightningnetwork/lnd/security/advisories/GHSA-9gxx-58q6-42p7", "source": "security-advisories@github.com"}, {"url": "https://lightning.network", "source": "security-advisories@github.com"}, {"url": "https://morehouse.github.io/lightning/lnd-onion-bomb", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-20"}]}], "descriptions": [{"lang": "en", "value": "The Lightning Network Daemon (lnd) - is a complete implementation of a Lightning Network node. A parsing vulnerability in lnd's onion processing logic and lead to a DoS vector due to excessive memory allocation. The issue was patched in lnd v0.17.0. Users should update to a version > v0.17.0 to be protected. Users unable to upgrade may set the `--rejecthtlc` CLI flag and also disable forwarding on channels via the `UpdateChanPolicyCommand`, or disable listening on a public network interface via the `--nolisten` flag as a mitigation."}], "lastModified": "2024-06-21T11:22:01.687", "sourceIdentifier": "security-advisories@github.com"}